Attacks on browser-based content sniffing

| No Comments | No TrackBacks

While working on a project I came across the very interesting topic of attacks abusing MIME sniffing in browsers. Obviously this isn't really new but I just didn't have any practical use for it, so I never dove into the details until now. For future reference I decided to write a comprehensive blog post about it here.

MIME Sniffing is a technique implemented by IE >= 4.0 allowing the browser to dynamically guess the content type of downloaded files. Basically the browser analyzes the magic bytes of any downloaded file and decides whether to trust the server's transmitted content type or use its own guess. What IE does is, if there is a mismatch between the content type of the server and the one defined by the magic bytes, then it uses its own content type guess. The problem arises once a website allows users to upload content which is then published on the web server. If an attacker manipulates the content in a way to be accepted by the web app and rendered as HTML by the browser, it is possible to inject code in e.g. an image file and make the victim execute it by viewing said image. For more details read heise online on the topic here3

Quick test for web applications
To quickly assess whether an application is vulnerable to this type of attack, check if the following criteria are fulfilled:

  1. The application allows uploads
  2. The application does no post-processing on the uploaded content
  3. The content is downloadable throught the application
  4. The content is not checked for MIME type mismatches

Try uploading the following PNG file which pretends to be a JPG (pay close attention when downloading the file, some browsers such as FF might append a .PNG at the end, remove this) to the site in question. If a subsequent download of the file returns the exact same file with a content type of JPEG, the app is vulnerable. Opening the file in IE will render an alert box on the screen.

For this to work, you need to direct the browser to the file itself, having it loaded from an image tag inside an HTML page e.g. is not enough

Sidenote: IE 8 is no longer vulnerable to the image based attack2.

The same attack also works in PDFs and other types of files. So if the app doesn't allow images but other content to be uploaded, it still needs to be evaluated if such attacks are possible.

How to protect your web app
There are several means of protecting you application from these type of attacks.

If dealing with images, use something like the Image Magick tools to resize or recompress the uploaded images prior to serving them. Any of these operations will remove the attack code5.

Microsoft also introduced several HTTP headers to disable content sniffing in IE 82:

To force the browser to trust the servers content type, use the following additional HTTP header:

X-Content-Type-Options: nosniff

Additionally, it is also a good idea to use Wikipedia's approach as a 2nd line of defense. Use a separate (sub)domain to host your user-uploaded content. With this approach you ensure, that none of the scripts that might potentially be included in the content, are executed in the context of your web application and therefore don't have access to session cookies, etc.

Background

For further background on this type of attack I recommend the paper1 by Barth et al of UCS Berkeley providing details of the inner workings of MIME sniffing.

Another interesting angle comes into play, once an attacker has control over the server itself. Jose Nazario over at arbor networks blog is describing a phishing attack also based on abusing the MIME sniffing4.

1 Secure Content Sniffing for Web Browsers, or How to Stop Papers from Reviewing Themselves by Barth et al. of UCS Berkeley

2 IE8 security, Part V IEBlog, Microsoft

3 Risky MIME sniffing in IE heise online

4 MIME sniffing and phishing arbor networks security blog

5 Watch out for new attack vectors based on buffer overflows in Image Magick, though.

No TrackBacks

TrackBack URL: http://thomasjaehnel.com/cgi-bin/mt/mt-tb.cgi/41

Leave a comment


Click here to add a video comment!

About this Entry

This page contains a single entry by Thomas Jaehnel published on November 9, 2009 8:00 PM.

Studie zu Web Application Firewalls veröffentlicht was the previous entry in this blog.

pushing routes via DHCP is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Creative Commons License
This blog is licensed under a Creative Commons License.
homemade code GmbH
powered by homemade code GmbH ~ the application security experts!